Skip to main content

Paddlepaddle CVE-2023-52314

CRITICAL
OS Command Injection (CWE-78)
2024-01-03 paddle-security@baidu.com
9.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 28, 2026 - 19:33 vuln.today
Patch released
Mar 28, 2026 - 19:33 nvd
Patch available
CVE Published
Jan 03, 2024 - 09:15 nvd
CRITICAL 9.6

DescriptionCVE.org

PaddlePaddle before 2.6.0 has a command injection in convert_shape_compare. This resulted in the ability to execute arbitrary commands on the operating system.

AnalysisAI

PaddlePaddle before 2.6.0 has a command injection in convert_shape_compare. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Technical ContextAI

This vulnerability is classified as OS Command Injection (CWE-78), which allows attackers to execute arbitrary operating system commands on the host. PaddlePaddle before 2.6.0 has a command injection in convert_shape_compare. This resulted in the ability to execute arbitrary commands on the operating system. Affected products include: Paddlepaddle. Version information: before 2.6.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Avoid passing user input to shell commands. Use language-specific APIs instead of shell execution. Apply strict input validation with allowlists.

CVE-2024-0917 CRITICAL POC
9.8 Mar 07

remote code execution in paddlepaddle/paddle 2.6.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely e

CVE-2023-38673 CRITICAL POC
9.8 Jul 26

PaddlePaddle before 2.5.0 has a command injection in fs.py. Rated critical severity (CVSS 9.8), this vulnerability is re

CVE-2023-38671 CRITICAL POC
9.8 Jul 26

Heap buffer overflow in paddle.trace in PaddlePaddle before 2.5.0. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-38669 CRITICAL POC
9.8 Jul 26

Use after free in paddle.diagonal in PaddlePaddle before 2.5.0. Rated critical severity (CVSS 9.8), this vulnerability i

CVE-2022-46742 CRITICAL POC
9.8 Dec 07

Code injection in paddle.audio.functional.get_window in PaddlePaddle 2.4.0-rc0 allows arbitrary code execution. Rated cr

CVE-2022-45908 CRITICAL POC
9.8 Nov 26

In PaddlePaddle before 2.4, paddle.audio.functional.get_window is vulnerable to code injection because it calls eval on

CVE-2024-0818 CRITICAL POC
9.1 Mar 07

Arbitrary File Overwrite Via Path Traversal in paddlepaddle/paddle before 2.6. Rated critical severity (CVSS 9.1), this

CVE-2022-46741 CRITICAL POC
9.1 Dec 07

Out-of-bounds read in gather_tree in PaddlePaddle before 2.4. Rated critical severity (CVSS 9.1), this vulnerability is

CVE-2024-0815 HIGH POC
8.8 Mar 07

Command injection in paddle.utils.download._wget_download (bypass filter) in paddlepaddle/paddle 2.6.0. Rated high sever

CVE-2024-0817 HIGH POC
7.8 Mar 07

Command injection in IrGraph.draw in paddlepaddle/paddle 2.6.0. Rated high severity (CVSS 7.8), this vulnerability is lo

CVE-2024-1603 HIGH POC
7.5 Mar 23

paddlepaddle/paddle 2.6.0 allows arbitrary file read via paddle.vision.ops.read_file. Rated high severity (CVSS 7.5), th

CVE-2023-38672 HIGH POC
7.5 Jul 26

FPE in paddle.trace in PaddlePaddle before 2.5.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploit

Share

CVE-2023-52314 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy